With Debian you should consider installing Leny or Squeeze or any newer version than Etch (elsewhere, the given command and parameters should not work). Anyway do not use Sid for Debian or any unstable version of the chosen system. On a Debian system you have to install all of this minimal requirement using command lines like those ones:

You can use apt-cache search <your search> command if you don’t know the exact name of the additional server package you want.

As stability and security are the most important thing in such configuration, you should not install the X server and any graphical application or any unneeded software or servers. The best is to do a fresh Debian minimal installation (or the equivalent with the given distribution) and to type the commands given above once logged in.

Note that oppositely to the last tutorial I made, I do not recommend any more the use of iptables-persistant as a script will be created with this tutorial replacing its use with is much more efficient and can be loaded at boot time with an init script (in case of server reboot).

2. Configuring your connection

eth1 (second network card: private network) will be connected to an Ethernet hub or switch

eth2 (third network card) will be connected to a WiFi access point for a public WiFi network

Of course the public WiFi access is optional and will be given as an example for such a use. For private WiFi access the best way is to connect it to the switch of the private network. You can also have several private separate network as well as several public WiFi. To do this you will just have to reproduce the lines given for that for each with the good parameters.

The base address that will be used is something like 192.168.x.y but you can use something else. Nevertheless, this base remains a good choice as you are sure it will not conflict with external address you may need to access. For example if you choose for one of your private network a base like 209.85.229.x, you may not be able to access the Google website, or part of it, wich is using it (209.85.229.147 is one of the address of www.google.com) as your private network will have the priority. The base address you can use are 192.168.x.y or (mainly if you have bigger needs) 10.x.y.z.

Note that this tutorial will consider that 192.168.1.y and 192.168.2.y will be considered as two different sub-network for more simplicity. This is enough most of the time as it’s rare to need to connect more than 250 computers. People doing this use more specialized systems providing much more complex routing systems (and so server systems) which is a bit out of this tutorial. Nevertheless, this is possible by attributing address on one sub-network with x and y are significant (e.g. a range of address from 192.168.0.1 to 192.168.3.254 for a first sub-network and 192.168.128.1 to 192.168.129.254 for a second one). To do this, the best is to calculate the network masks with precision. If you don’t know what is a network mask, you should forget to try that ;)…

Now, I will consider the following for the remainder of this tutorial:

The internet zone will have the address given via DHCP. This address is either given by your ISP or by a router (like the integrated one in some advanced router or set-top box). If the address is something like 192.168.0.254, your private network can’t use the same sub-network (in that case 192.168.0.y).

The private zone will have address dynamically attributed by the router you are about to build with a range of address from 192.168.0.1 to 192.168.0.250. The last address (192.168.0.251 to 192.168.0.254) will be reserved for statically attributed address that may be needed for other server. The router itself will have the static address 192.168.0.254.

In the same way that the private zone, the public WiFi zone will have dynamic address from 192.168.1.1 to 192.168.1.5 (in order to limit the number of guest to five). The router will have the static address 192.168.1.254.

2.1 The /etc/network/interfaces file

This file is about configuring your network connections and is used by boot script to configure it correctly. Be careful, that configuration file is for Debian based based system and few others distributions using Debian scripts. You can have detailed information about this file here. According to the previous definitions it will look like that:

Shell

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

# Begin of /etc/network/interfaces

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

# The loopback network interface

auto lo,eth0,eth1,eth2

iface lo inet static

# Primary network interface: internet zone

auto eth0

iface eth0 inet dhcp

# Second network interface: private zone

iface eth1 inet static

address192.168.0.254

network192.168.0.0

netmask255.255.255.0

broadcast192.168.0.255

gateway192.168.0.254

# Third network interface: wifi zone

iface eth2 inet static

address192.168.1.127

network192.168.1.0

netmask255.255.255.128

broadcast192.168.1.255

gateway192.168.1.127

# End of /etc/network/interfaces

Now let’s explain that: we are defining four different interface. First we have the loopback network interface. This is a special and reserved zone with the default address 127.0.0.1. This is a zone where the computer is speaking to himself simulating a virtual network card. Every POSIX systems have such a feature allowing, for example, simulation. This is highly recommended to keep that as-is as some programs need it to work properly.

Then we have three real network interface. The first one is different because it is activated with DHCP. DHCP means Dynamic Host Configuration Protocol. This is commonly used when you boot up your computer to give him an IP address. In our case, we need that the modem give to the first interface a valid IP address particularly if your ISP is giving you a dynamic address that may change from time to time. It will be, so, our external address. The “auto” line, just before the configuration line for eth0 means that in case of service interruption (obviously from your ISP) or in case of external address change (most of the ISP change your address from time to time) the interface will be reconfigured automatically.

The two last network interfaces are configured manually. Habitually the router address ends up with 254. This is not an obligation, but more something like a tradition. We define the gateway as same as the IP address. This allows us to have the best security as IPTables will redirect everything to the good interface. In that way each zone is clearly separated from the others, IPTables making the link.

If you want more details about that file and much more advanced tweaks about it you should read the associated manual page with writing “man interface(5)” in a terminal.

2.2. Configuring DHCP server

The DHCP server’s job is to give IP address automatically to the computers that will be plugged on our network, as it’s difficult to ask anybody to configure manually its network connection. So we need that server to give us correct parameters for the following :

IP address: it’s our address on the network;

Mask: the mask is a way for the computers to know who is allowed to speak directly to them, everything that is not covered by this mask will be ignored;

Gateway: it’s typically the router itself, so the computer that making the link between our private area and an external area;

DNS (Domain Name Server): when you want to go on Google you type www.google.com and not an IP address: the DNS server(s) translate that name in IP address;

Optionally the DHCP server can give more information such as PXE file, or an other DHCP server as master…

The file to edit to configure all of that stuff is /etc/dhcp/dhcpd.conf. If you are using Debian, the existing file contains many commented samples with explanation which could be a good help. Note that Debian version prior to Squeeze have /etc/dhcp3/dhcpd.conf file instead. Here is what that file look like:

Shell

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

# Begin /etc/dhcp/dhcpd.conf

# Use "interim" style name server updating procedures. This allow to update

# DNS server name in case of change via DHCP client. In that case the update

# is made in case of change (via a testing thread). The "ad-hoc" parametter is

# not testing and ask for DNS update periodically. It is considered as unsafe

# servers and optionally add your DNS server (192.168.1.254 here) if you have

# your own (here the router is also a DNS server).

option domain-name"jeff.levasseur.org";

option domain-name-servers212.27.40.241,212.27.40.240,192.168.1.254;

# Configure lease time (in seconds) : here is the max values

default-lease-time600000000;

max-lease-time720000000;

# eth1 subnet configuration: this will give address from 192.168.1.10 to

# 192.168.1.250 and it's the only thing you may change. Note that you

# can have several range, and ranges with only one address.

subnet192.168.0.0netmask255.255.255.0{

range192.168.0.10192.168.0.250;

option routers192.168.0.254;

option broadcast-address192.168.0.255;

}

# eth2 subnet configuration: here you have an example of multiple range

# and a different mask

subnet192.168.1.0netmask255.255.255.128{

range192.168.1.1192.168.1.10;

range192.168.1.30192.168.1.40;

range192.168.1.50

option routers192.168.1.127;

option broadcast-address192.168.1.255;

}

# End /etc/dhcp3/dhcpd.conf

To apply the changes, you need to restart the DHCP server with:

Shell

1

/etc/init.d/dhcp3-server restart

You should test the DHCP server by reconfiguring the network and pinging the server on one of the client machine. For example with Linux:

Shell

1

2

3

dhclient eth0

ifconfig

ping192.168.1.1

If dhclient is giving you a good IP address (shown with ifconfig) and ping returns no packet transmission error, you’re DHCP server is well configured. With Windows, you should use the “Control Panel” to configure the network settings of the client. If you use a WiFi hotspot you have to configure it before doing this test.

Note that at this point your local network should be fully functional but you will have no access to any external network and internet as there’s still no routing functionality activated. This is the next point subject.

2.3. Configuring IPTables

IPTables is a command line tool managing NetFilter. NetFilter is the firewall integrated in Linux kernel. But NetFilter is far more than a firewall, it is a redirecting utility working either on port or IP address, a NAT (Network Address Translation), it have Proxy capabilities, etc… Here we will need nearly all of those feature to make a very strong firewall and router. To be able to activate our rules at boot time we will create a script that will be called in the Init script of our distribution. Now that script is looking like that:

Shell

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

#!/bin/sh

# IPTABLES PROXY script for the Linux &gt;= 2.4 kernel.

# This script is a derivative of the script presented in

# the IP Masquerade HOWTO page at (obsolete):

# www.tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html

# It was simplified to coincide with the configuration of

# the sample system presented in the Guides section of

# www.aboutdebian.com

#

# PLEASE SET THE USER VARIABLES

# IN SECTIONS A AND B OR C

echo"SETTING UP IPTABLES PROXY..."

# === SECTION A

# ----------- FOR EVERYONE

# SET THE INTERFACE DESIGNATION FOR THE NIC CONNECTED TO YOUR INTERNAL NETWORK

# The default value below is for "eth0". This value

# could also be "eth1" if you have TWO NICs in your system.

# You can use the ifconfig command to list the interfaces

# on your system. The internal interface will likely have

# have an address that is in one of the private IP address

# ranges.

# Note that this is an interface DESIGNATION - not

# the IP address of the interface.

# Enter the internal interface's designation for the

# INTIF variable:

INTIF="eth1"

# SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION

In fact it nearly is… The next step is to treat some particular case (eg. a router behind a proxy or wifi access point or again PXE server adaptations). Actually the given instructions are good enough to build a good and simple router.

Hi there, thanks a lot for this excelent tut, i have some questions please – ‘iptables -A INPUT -i $EXTIF -m state –state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP –dport 22 -j ACCEPT’ if i remove this i still can make a new connection to 22 port from outside.. is this ok?

Hum, as far as I know, it should not. But in all case internal network protection is the only goal of that script… The external interface may still be unprotected. In my case the router is allowing me special servises and complex redirection system. The router itself is protected by a set-top-box which act as a router as well. I’ll try to find a better external interface protection and give it to you when I get it. Note that default protection given by Netfilter depends on kernel compilation configuration, and so on, the distribution you use.

I’m on a debian6 box with 2.6.32 standard kernel, also this ‘
if [ “iptables -L | grep drop-and-log-it” ]; then
iptables -F drop-and-log-it
fi’ does not find anything and the only solution is dropping all of them with ‘iptables -F’
Also when you have some time could you please post some port forward rules?